The Importance of Biosecurity in Biorisk Program Management

What to know

The views expressed in written materials or publications and by speakers and moderators do not necessarily reflect the official policies of the Department of Health and Human Services, nor does the mention of trade names, commercial practices, or organizations imply endorsement by the U.S. government.

Image file with logos for the Centers for Disease Control and Prevention (CDC), University of New Mexico Health Sciences, and Project Extension for Community Healthcare Outcomes (ECHO).
Format: MP3
Language: English (US)
Size: 48 MB
Image file with logos for the Centers for Disease Control and Prevention (CDC), University of New Mexico Health Sciences, and Project Extension for Community Healthcare Outcomes (ECHO).

Slides

The Importance of Biosecurity in Biorisk Program Management (Presentation Slides)
Presentation slides for the "The Importance of Biosecurity in Biorisk Program Management" ECHO Biosa...
Download
Download

Transcript

Date of session: 10/22/2024

Facilitator
Aufra C. Araujo, PhD
Centers for Disease Control and Prevention
DLSbiosafety@cdc.gov

Didactic Speaker
Cristine C. Lawson, PhD, RBP, CBSP
U.S. Department of Defense
cristine.c.lawson.civ@health.mil

Aufra Araujo: Good afternoon. Good morning and good evening, everyone. My name is Aufra Araujo, and I want to extend a warm welcome from the Centers for Disease Control and Prevention in Atlanta, Georgia. I am the CDC ECHO Biosafety Program Lead and the Acting Safety Team Lead in CDC's Division of Laboratory Systems.

Thank you for joining our ninth Extension for Community Health Outcomes, or ECHO, Biosafety session for 2024. The topic for this interactive discussion is The Importance of Biosecurity in Biorisk Program Management. Today's subject matter expert is Dr. Christine Lawson from the Biological Select Agent and Toxin (BSAT) Biorisk Program Office in Frederick, Maryland. Let me stop sharing for a moment. And, you know I'd like to ask everyone a quick icebreaker question, which is already in the chat. Where are you calling from today? And what's your favorite Halloween candy? Let's just get to know each other and know where you are from.

I start by calling on someone to unmute and respond and then ask them to choose the next person. Feel free to also put your answers in the chat. I love to hear from you. I see North Dakota, oh, peanut butter Snickers, I like that. Let's see. Let me just look around and call somebody randomly. I see Rashida Moore. Would you like to unmute and share?

Rashida Moore: Hello. Yes, I'm calling from Atlanta. And I basically, like anything, chocolate. Not really dark chocolate, but if it's mixed with milk, I will eat it. And I'm calling on somebody else, Courtney, because my maiden name is Horton. That's why I'm calling Courtney.

Aufra Araujo: Courtney, you'd like to unmute and share with us where you're calling from and what's your favorite Halloween candy? Maybe somebody else. I wonder if she's having-- if they are having trouble connecting or meeting.

Rashida Moore: What about Nilam? Is that Nilam?

Nilam P.: Yeah, correct. Nilam from Monmouth Medical Center, New Jersey. And Snickers, I like it.

Aufra Araujo: Nice. Would you like to call someone randomly? OK, I can call someone, somebody else. I see on the screen. Let me move to the fourth screen of names. Rebecca Lloyd, would you like to share where you calling from and what's your favorite Halloween candy?

Rebecca Lloyd: Hi, there. I'm actually a part of Air Force, but I'm calling from Detroit, Michigan. And probably anything sweet and sour, like SweeTarts.

Aufra Araujo: Nice. Wow, that's determination, calling from the airport. Appreciate you connecting with us today. Would you like to call somebody? Can you see names on the screen?

Rebecca Lloyd: How about Erica Hostetler?

Erica Hostetler: Hi. I am calling from Springfield, Illinois. And really, any candy. I like that I can steal it from my kids so I have a variety of stuff I can have.

Aufra Araujo: I love that. Well, please keep entering your answers in the chat. The purpose is to get to know each other and connect. Let me start sharing again, share my screen. All right, so moving to the next slide.

Now I'd like to provide a brief recap from our last session in September. It featured Ben Fontes, who presented on Operations: Emergency Response and Contingency Plans. Ben's discussion focused on the importance of proactive biohazard emergency planning through collaboration, regular drills, and clear protocols. Drawing on experience with ISO 35001 and Yale Environmental Health and Safety, Ben highlighted the need for written, practiced, and updated plans with input from internal teams and external partners. Fontes stressed that preparedness begins before emergencies with a focus on timely healthcare access, proper responder training, and continuous improvement through lessons learned.

The box on the slide shows a participant's comment about involving the fire hazmat team and partners in a drill with their BSL-3 laboratory We had 119 participants attending the session who were affiliated with 67 organizations. The map on the right shows where these participants are located. The states shaded in green had participants from at least one organization. Also in attendance were participants from seven national organizations, and at least one organization located in Belize. We encourage you to share information about our ECHO Biosafety sessions with your colleagues and to connect amongst yourselves via chat if you'd like.

Before we continue, I'd like to address some technical aspects of our ECHO Biosafety sessions. Please use the video capabilities of your device for this session. Currently, all audience microphones are muted. When engaging the discussion-- and there will be plenty of opportunities to engage in the discussion today-- please unmute yourself to speak. Closed captioning is provided through Zoom for this session.

If you are experiencing technical difficulties during the session, please send a private chat message to George Xiang, who is labeled as CDC ECHO Tech. George will do his best to respond to your issue. If you are connecting to Zoom by phone only at the time of discussion, please introduce yourself by stating your name and institution before speaking.

We encourage your active participation by sharing your knowledge and experience. Each laboratory is unique, and your skill sets are unique, so your contributions to the discussion are valuable. Let me go to the next slide.

Here is a brief overview of today's session. I will introduce our subject matter expert, Christine Lawson, who will provide a didactic presentation and real-case discussion. Then, my colleague, Mary Casey-Moore, will summarize today's discussion. Closing comments and reminders will follow, and we will adjourn this session. Today's session is being recorded. If you prefer not to be recorded, please disconnect now.

The transcript, audio recording, presentation slides, and other resources will be posted on the DLS ECHO Biosafety website a few weeks after today's session. I'd like to remind everyone that these slides contain presentation material from speakers who are not affiliated with CDC. Presentation content from external speakers may not necessarily reflect CDC's official position.

And now it is my pleasure to introduce today's presenter. Dr. Christine Lawson serves as the Deputy Director for Biosecurity for the Department of Defense (DOD) Biological Select Agents and Toxins (BSAT) Biorisk Program Office, or BBPO. She is responsible for all DOD BSAT Biorisk Program oversight activities, including inventory management, security requirements, information management, operations, and incident response.

Dr. Lawson received her PhD in microbiology and immunology from the University of North Carolina at Chapel Hill and as a postdoctoral fellow with the National Biosafety and Biocontainment Training Program at the National Institutes of Health. She led a large structured operational and programmatic reviews of several biological programs, spanning federal, state, and privately-owned facilities. Cris, the floor is yours. And I stop sharing. So you can share your slides now.

Christine Lawson: Let me see if everybody can hear me and everybody can see my slides. All right, so I'm going to apologize from last night to today. My voice got a little hoarse, so I don't know if I'm coming down with something. So you guys will have to bear with me, and I apologize. So good afternoon. As Aufra said, my name is Christine Lawson. And I'm the Deputy Director for Biosecurity with the Department of Defense, Biological Select Agents and Toxins Biorisk Program Office. It's a mouthful, BBPO.

And today, hopefully, I'm going to be able to share with you a little bit about my views on biosecurity and how that integrates into biorisk management and why I believe biosecurity is important. So this is my required disclaimer, much similar to the one that was just made. I need to tell you that the views in this presentation are not that of the U.S. Army, the DOD, or the federal government. They are my own.

And here's just a little overview of what we're going to talk about today. So first, we're going to look at different biosecurity definitions, talk a little bit about building integrated biorisk programs, and then we'll discuss why biosecurity is important, which really, to me, is the fun part, is when we get to talk about the case studies. And then I'm actually going to challenge you to redefine biosecurity with me. And if we have time, hopefully I will be able to finish the talk with a few closing remarks.

So we'll start with defining biosecurity. So here on the screen, you should be able to see four different definitions that exist today on biosecurity. As you can see, both the WHO and the ISO definitions talk about practices and controls that are aimed to prevent and reduce loss, theft, misuse, diversion or release of biological materials. The two right underneath that is the definitions that exist on the sixth edition of the BMBL, which I'm sure all of you are familiar with, and that actually the BMBL proposes two different definitions, one that's geared towards biosecurity in the laboratory, which focused on, again, preventing loss, theft, deliberate misuse of biologicals, and one that is focused on agricultural biosecurity, which focused on protecting, managing, and responding to risks associated with food, agriculture, health, and the environment.

And the list goes on and on. So the USDA/APHIS talks about that would be that first definition about preventing disease from affecting livestock, crops, the environment, and people. And there are many other definitions today that exist for biosecurity. And I'm going to give you guys these slides so you can spend some time reading those.

But the point here is that we have all of these different concepts on biosecurity. And then to make things a little bit more difficult, there are actually many languages that actually have only one term that describes both the concepts of biosafety and biosecurity-- essentially, one word to describe how workers, the public, animal health, plant health, the environment, and research, for example, has to be protected.

I do have to say that a few countries today, including what I know of, which is Mexico and China, are starting in the process of separating the terms and having a term for biosafety and biosecurity. But many languages, as shown here, actually only have one term to describe it.

So even though what I just said to you, that there are a bunch of different definitions of biosecurity, languages that have just one word to define biosafety and biosecurity, if you actually pull the thread through all of those, a common theme will arise. And that is that biosecurity is designed to keep in what needs to stay in and keep out what needs to stay out. The different definitions, they all share this common theme. And they're mostly different because they're tailored towards the greater hazards to that community.

So it makes sense that agriculture is going to look through a lens, and that laboratory is going to look through another lens. So that's the reason why you see those differences. But the elements of physical security, material accountability, personnel reliability, and suitability, informational security, all of that is common to all of those definitions. All of these elements essentially work together so that, again, the public animal and plant health, the environment and research, is protected-- again, ensuring what needs to stay in stays in, and what needs to stay out will stay out.

So since we're talking about things staying in or staying out, I do hope that, just from that, you start seeing that truly biosafety and biosecurity are complementary disciplines. They are important together. And it's important that we align mitigation of safety and security risks together. And here's really where the concept of building integrated biorisk programs or biorisk management programs, however you want to call it, comes in.

It's the idea that you have a management systems approach that enables an organization to effectively essentially identify, assess, control, and evaluate, not just biosafety, but also biosecurity risks, that are inherent to its activities. So ISO 35001, which is the theme, to my understanding, of all these talks this year, defines by risk as the effects of uncertainty expressed by a combination of consequences to an event and the associated likelihood of that to occur, essentially.

And it frames that the harm, the source of harm, is biological materials. And then it goes on to define that harm is the adverse effect on people, animals, plants, the environment, and property. And it tells us that harm can be a consequence of unintentional exposure, accidental release, but also loss, theft, diversion. And essentially, what this does, it does the job for us of bringing biosafety and biosecurity together where they belong.

Because at the end of the day, it doesn't matter if the harm was caused by an LAI or because someone stole a vial. It will have an effect. And we all, together, need to address the risks. And talking about biorisk, that means then we need to start with the root of it all, which is a risk assessment. There are many types of risks, and they all require a robust risk assessment and a risk mitigation plan or strategy or risk, whatever you call it, then pending how you call it, but you need to develop some sort of mitigation plan to that risk.

In biosecurity, you often hear it called a threat assessment or a vulnerability assessment. But the truth is that it's all a risk assessment. That's all it is you are looking at the risk of a hazard. And then that hazard can be different things. It can be a risk assessment of an insider threat, for example, or the hazard can be that you actually don't have a good inventory system.

Again, it's about assessing the risk for a specific hazard at your entity. As you know, risk is a function right of probability and consequence. And the guiding principle is you identify the hazard. You look at the potential consequence and the probability of it occurring so you can then determine the risk and then you can develop a risk mitigation plan.

I'm not going to go over the entire process. There are much better people at doing that than I ever will be. But the most important point that I want to make is that you have to perform a risk assessment, and you have to develop a risk mitigation plan. But then you have to continuously assess that. That has to occur on a recurring basis. And most important is that in order for that risk assessment in that mitigation plan to be meaningful, you need to have a team of people with knowledge and expertise to be part of that process.

Your experts are the ones that will have the most insight on the hazard. So we have to bring them to the table to be part of the risk assessment and developing that risk mitigation plan. We have to remember that a laboratory working with select agents and toxins, for example, besides the regulatory requirements they have, you will have different risks that they need to focus on than, let's say, a clinical laboratory or a farm. They all have different risks.

So I want to take a moment for us to just pause. And Aufra can stop me if I'm saying this wrong. But you can either drop it on the chat or if you want to unmute yourself. We have 100 and, what, 29 people right now from all over. What is a risk that you can think that is unique to your setting?

And if I just have one of you guys maybe share. And again, you can put it in the chat or one of you can think, try to think of a risk that's unique to your setting. Maybe, again, you work at a lab that deals with BSAT or you work at a clinical laboratory. But talk about a hazard that you deal with and maybe a risk that comes with that hazard that may be unique to your setting. And it can be anyone.

I had somebody say transport of hazardous material between research spaces, for example. And that will look different. It will be different if you are at a farm, for example, or if you are in a building that is secured. And I see a lot of good things going in. Again, movement of things through restricted areas because of BSAT waste management. That might look different for you as it will for others.

I have somebody talking about transport of specimens between an internal lab space and an external lab space. And that's true. Even if that might be something that is common to us all, it will still look different at our settings. Because each one of our entities will have different needs. And it will be addressing these things differently.

So I appreciate you guys putting things in the chat. So again, we were talking about risk assessment. And one of the things that the ISO then moves on to talk about is biorisk. And biorisk is a coordination of activities to direct and control an organization with regard to biorisk. It goes on to say that biorisk management is a system or a part of a system that will establish policies, objectives, and processes to achieve those objectives.

And what is that objective? So for biorisk management, the objective is to mitigate risk. We were just discussing this idea of working together to do a risk assessment and how you need to bring your experts to the table so that when you are conducting the risk assessment and developing mitigation plans, you're doing so with the people that know the hazard the best. But that's only one piece of the puzzle.

Risk and risk mitigation strategies need also to be verbalized to your leadership because they need to be built based on your entity's goals. Based on the goals of the entity, leadership will be able to tell you how comfortable they are or not with taking a risk. They will be able to tell you how much risk they are willing to take, and they also will be able to tell you the constraints, where is your sandbox, and the budget that you have to mitigate those risks.

And one of the things that I always like to talk about when we get to this part is that we're talking about mitigating risk. That means every risk mitigation plan and strategy that we put in place can only reduce risk to an acceptable level. It will never be 0. In order for it to be 0, it means you don't perform the work. So that's another conversation that always has to happen between everybody that's working on developing risk mitigation and leadership so that they have a good understanding of that.

The ISO itself provides a biorisk management model. And it's depicted in this picture here. This is straight out of the ISO. And the idea here is that you're looking at a pyramid from the top. And that outer, wider part of the picture of the pyramid, the base, it's essentially the entity's mission and vision. What is the objectives and the work that is going to be accomplished at that place, what is relevant to its purpose, and, also, the needs and the expectations of all of the stakeholders in that place.

And then you move on to the second part there, a lighter shade. And that's the scope of the biorisk management system. Essentially, the idea is that the organization is going to use knowledge from that base of its mission and its vision and input from the stakeholders to determine what the biorisk management system will look like. And then if you go to the inner part, then you were talking about leadership.

And leadership being able to show commitment and support, if you will, to the biorisk management system by making sure policies are established, that they are in force, that they're compatible with the strategic direction of that organization, and also ensuring that buyer risk management is integrated into the process. Resources are available. Communication is flowing. And the importance of biorisk management is being communicated out, defining roles, and all of those things.

And then in the middle part, which is the little white circles on that picture and squares, you arm your organization to do what they call the plan, do, check, and act cycle, if you will, where you plan. Here's where you do your risk assessment and you develop your risk mitigation strategies. Then you do, which is operationally putting into place those mitigation strategies.

Then you check. You can do that through metrics, internal audits. A lot of us do internal audits as far as internal inspections to look at how things work, how that mitigation strategy is working. And then you act, if necessary, for example, sometimes, because you need to develop a new plan, which means you need to do a new risk assessment, a new mitigation strategy, because something changed, something might have changed about your institution, about that research or something.

Sometimes you just need to implement an improvement strategy because your metrics have shown that things are not working well. That mitigation strategy that you thought maybe was going to work isn't working well. But it's a continuous cycle, like we were talking about in the beginning when we're talking about risk assessment. The idea is that has to continuously occur. And at the center of it all, again, is support. It's the resources needed to establish and implement and evaluate and continuously improve the system.

It's establishing things like health programs and training and personnel reliability and communication and information security and personnel security at your entity safety programs. So as you can see, everybody really is a part of this puzzle. And it's important that you understand that you are a part of that process. So if you stop and think about it for a minute on your own situation and your own entity, do you believe that you are part of this process? And if so, where?

Do you ever think about what you do in your space, in your little space, how that actually can affect your entity as a whole and your biorisk program as a whole? So I think that's something that I like to call out because I think that we tend to forget sometimes that really, we all play a part on this.

So we talked about biosecurity, about how biosafety and biosecurity are complementary disciplines, disciplines that need to work together in order to mitigate biorisk. And I briefly went through the concept of biorisk management from the ISO, and this idea that everyone plays a part in biorisk management.

But why is mitigating security risks as important as mitigating safety risks? Why is biosecurity important when you're looking at an integrated biorisk program? So here's why it's important. And I know some of us probably have heard me give a talk similar to this, in which it says, it's important because, for example, in 1984, a nurse practitioner actually legally purchased, through her state-licensed medical laboratory, Bactrol disks from VWR Scientific, that those disks had Salmonella typhimurium on it.

And then that nurse proceeded to isolate that bacteria from the disks, grew cultures from it. And those cultures were used to contaminate the salad bars in about 10 restaurants in the small town in Oregon. That caused 751 people to become ill, and 45 of those folks had to be sent to the hospital. It turned out that nurse practitioner was part of a religious cult that had established a very large commune in the county.

And they wanted to overthrow two commissioners that were hostile towards that cult. And those two commissioners were up for re-election. So this was really a trial run on this idea that they could get voters sick, plus a bunch of other people. And literally, if you read it, you'll notice I have a bunch of PDFs and links at the bottom of the screen on those slides that you can use to read more about it.

But the idea is that they wanted to ensure that the election would be swayed towards the commissioners that they wanted. Well, that trial run, as I said, ended up leaving 751 people sick. And despite the success of the contamination, thankfully, there were no follow-on attacks because they ended up abandoning their efforts, as there was a lot of legal pressure in the publicity on this attack.

So again, I ask you to either unmute yourself and talk, which I love interacting with you guys, so if you would like to do that, or not, if you want to use the chat. What happened? So thinking from a biosecurity perspective, from the story I just told you, what happened? I know, I'm putting everybody on the spot.

And I apologize. I have to look to the side to see you guys if anybody says anything. So somebody said failure to monitor your purchasing orders. So maybe an unauthorized purchase was made. This is another one of the things that was said. That speaks to something in biosecurity, which is a loss of accountability. At the end of the day, was it a failure to monitor what was being purchased, if a purchase was authorized or not?

What else could have been? So let's say that the purchase had been authorized and you were supposed to have those Bactrol disks in hand to use. What are other things that helped, potentially, this loss of accountability, that allowed this person to use, essentially, isolate the bacteria from it?

Jeff Potts: Cris, this is Jeff. I'll be bold and come off mute.

Christine Lawson: Thank you.

Jeff Potts: The ISO standard includes personal reliability and the standard. And I know some of us are familiar with that when it comes to tier one select agents. But the ISO standard really kind of applies that across the board for anything that you're doing. So certainly, this could be a case here. And implementing that on multiple levels can be a challenge.

Christine Lawson: I agree, and thanks for bringing that up. So not only maybe it was a loss of accountability, but also, should they've been worried about suitability? Should they have been talking about that? Should they have been knowing more about the folks that are working for them? Some of the other things that came up, misuse of material. And then it says bad intentions, which speaks a little bit about what Jeff was just saying.

She was able to grow cultures and then carrying them out of the building. And there's another comment about the accountability of folks self-reporting of, again, suitability for working in that space. Somebody poses the question, if she was a nurse, would you expect her to be growing cultures? Were people actually paying attention to what she was doing? But that speaks to the common right underneath it, which is that no supervision of what the person was doing.

So as we're talking through this, you can see how biosecurity is important. And it will differ in the levels of what you're doing. So speaking a little bit about what Jeff was just alluding to, some of us are very intimate, knowledgeable about suitability and reliability programs because we work with BSAT. So there's a regulatory requirement for that.

We're acutely aware, if you're doing tier one BSAT work, we're going to have to have some kind of suitability. But at a state lab, for example, is that something that you would have thought of? Is it something that is important to your leadership? And is it something that we should start talking about? Because also, the point of this conversation is not to get labs to swing to the point of, "We must restrict everything and everything is to be looked under the microscope." Because that also doesn't help.

But finding where is the line where you can start mitigating risks in a way that makes sense to your entity and maybe starts helping things like that not happening anymore. So what maybe could have done to prevent it? What would have been things that, maybe if they had been in place, would have helped prevent this from happening? And again, the chat is open. And if you want to come off mute and talk.

Aufra Araujo: I'm not sure if you saw a comment in the chat, where somebody posed the question, was anyone at the institution responsible for a laboratory inspection program or inventory? That also, I think, would address the prevention, quote, unquote, aspect of it.

Christine Lawson: Right. And I'm sorry. It just came in for me. I think I got a little delay and then two of them came in together. So how do you address that? Would have been maybe having some sort of program that does inspections and look at inventory and what you have? And should there have been a log for how those Bactrol disks were accounted for?

Another one of the comments was if you don't have BSAT, you might not have a suitability and reliability program. So that makes it even harder. How could you have mitigated that? So what could have been done to prevent it? Maybe would have been a log for the use of the Bactrol disks, maybe.

Somebody said a registration process to identify the need to work with certain pathogens. If somebody is going to have access to those things, there's maybe a process for that. That's a good idea. And then-- sorry, there was something else. Again, greater scrutiny on usage of lab equipment and lab supplies.

So those are things that maybe could have been in place that would have-- none of us can ever say that would have prevented it, but could have helped, maybe. And then another thing I want you to think as we're going through this-- so I'm sorry, somebody said tightening regulations on the acquisition, storage, and use of pathogens that could be dangerous, that could have prevented this.

As we're discussing this, think of your own entity's stance on it. Are any of those things important to your entity? And if so, have they been communicated out? And sometimes, we're not great at doing that as entity leaderships and communicating how important some of those things are. It's really easy for us to look at "biosecurity has to do only with BSAT," for example. We're only worried about the really dangerous stuff. "We don't have to think about that. We're just a clin lab."

But the truth is that we shouldn't necessarily dismiss it. It should be part of what we do every day and the things that we think about. I have another comment says understanding of how to take advantage of security vulnerabilities to remove pathogens from facility without being stopped. That's essentially what they used.

They were able to grow from those Bactrol disks and walk out of there with it and nobody thought twice about it. But you see where there are implications, no matter if you are a BSAT lab or if you are, essentially, a state-licensed laboratory. I have somebody saying that, "My understanding of the situation is that the lab was located on their compound. And then so oversight is within the members of the compound. And outsiders who entered the compound were put at risk."

And that was a documentary that was done on Netflix. And you are correct. The salad bars weren't the only targets. But the original samples of Bactrol actually weren't from the laboratory. That was on the side of the compound was where she worked outside of the compound. That's where she was able to acquire those.

And there's more information on those. But you are correct, too. What if that licensed laboratory was inside of the compound? Is there anything in place that allows the state to regulate any of this, how many of those were sold, and things like that? So again, that's where then regulations come in.

This idea that it does affect everybody, not just the BSAT lab, not just the laboratory that is handling something that most of us consider to be very dangerous, that these situations can happen in clinical laboratories or state laboratories that could lead to biosecurity breaches, and therefore, put our entities and folks at risk.

I'm sorry, there is-- And there's another really good point. Registration is all good and well, but monitoring the activities and purchases of every individual in a BSL-2 would be impossible with current staffing. And I think that's a really important point. And it goes back to what we were just talking about that the ISO lays out, which is what is important to your entity? And how do you view that, and how would you be able to mitigate that? Because you are correct. I'm by no means advocating we start-- again, swing the pendulum the other way and start registering everything. But then let's think about, for each one of our entities, what are the things that we do need to maybe keep accountability for, the things that could open the door for something like this happening.

And I don't necessarily have an answer for that because I'm not your entity. I'm not you. I don't understand and I don't know exactly what your values and what resources you have. It's fine-tuning to figuring it out. And that's where the risk assessment, the risk mitigation plan is so important, and why everybody has to be a part of it. Because you have to find the balance within your space of what's important to you and what will help mitigate risks that you actually do have to think about it and you have to worry about.

So I hope that sort of got-- at least you thinking about biosecurity in that environment and framing biosecurity a little bit different. I'm going to move us on to the next case study unless there's any other burning desires. I know I have a couple of other things that popped up through the chat. But is there anybody else that have any last-minute thoughts on this before we move on to the next one?

All right, hearing nothing. And we'll move on to the next one. So this one, in a sense, is similar. So this is 1996, Diane Thompson. And this is a clinical lab tech. And she also stole the little beads that had been impregnated with Shigella at the Saint Paul Medical Center, in Texas. And she used it to contaminate muffins and donuts that she then fed to her co-workers.

All of them became ill. It was, I believe 13 folks had been exposed to it. And it turned out during the investigation that the police discovered that a year before that, her boyfriend had very similar symptoms to her coworker several times, and that she was actually systematically poisoning him for several months, going as far as switching his stool sample at the lab to ensure that he did not test positive for a bacterial infection.

So in 1995, she had done all of these things to her boyfriend. He actually had filed with the police. It ends up that he even moved out of the area because he became so afraid of her. She also had ended up slashing his tires several times, poured, I believe, sugar in his fuel tank of his car. And those things that all happen during several months, the prior year. And then this ended up happening with the laboratory.

And so, again, thinking from a security perspective, just like we talked about the case in Oregon, what happened? So, again, she was able to steal these beads that had, in the lab, been impregnated with Shigella. And it turned out that they actually did have a count for those beads. And two of them were missing. And they didn't realize that they were missing. So again, from a biosecurity perspective, what happened?

So somebody says there's some details missing. Medical centers do have access to these pathogens through samples that are submitted, true. "Proper monitoring of staff and what materials are allowed in the laboratory space—" I'm sorry, I lost your—"should be considered." And it's very true. They do have access to those pathogens constantly, and they would have had. So you need to consider those things.

Somebody said even a simple inventory would have helped, if they knew how many beads they have, but nobody knew that they were missing. There was no background check done, since she did this to 1995 to her boyfriend because it never became a red flag for them. Maybe the laboratory supervisor wasn't enforcing policies and procedures. There was no proper inventory and reporting systems of anything.

And again, what does that look like from your entity's perspective? Do you have to do that for every single one of the samples that come in? How do you write that mitigation strategy? That would depend on the risk assessment that you do together at your entity to figure that out. Do you essentially create maybe an inventory and reporting system for pathogens that cause human disease because that's really what matters to you?

One of the questions is, inventory is one thing, but if I subculture and stash it in my car, then how do you monitor for that? Or I substitute a plate slant and take it home to my garage lab. There are always going to be ways that people that really want it will try to beat the system. You're right. You would have to look at everybody's pockets before they leave the facility. But you can have things in place to try to prevent that from happening and dissuade people from doing things like that.

Is it possible that person would have thought twice if there was an inventory system and they knew that they would know fairly easily that those beads were missing? Because whoever made the comment is correct, you are not going to be able to stop everything. But again, the risk assessment and the risk mitigation plan that's going to come from that maybe will start helping you develop something that will allow you to try to prevent some of those things from happening.

And then somebody says, it's all about making it hard to beat the system, not making it foolproof, which is absolutely right. And then there needs to be a way to communicate concerns safely and without retribution. A lot of people won't report behaviors because they don't want to get in trouble or they don't want to hurt somebody's feelings. And that's absolutely true.

And as we're talking about all of these things, I hope this is also highlighting how important it is for us when we're thinking about biorisk management, that is not just in the hands of the folks doing biorisk. Because if leadership doesn't support any of the things that you want to put in place, if the risk assessment and the risk mitigation plan was not circulated through everybody and everybody has made an agreement that that's where the resources were going to go and that was the important things to be mitigated, we can talk about this and the need and how important those things are and not necessarily really focus on implementing things that will work or even come to prevent anything.

When you talk about communicating concerns safely and without retribution, that means leadership needed to be on board to already have put together a policy that says, hey, if you guys see something that makes you uncomfortable, it's OK for us to talk about it. And there won't be a repercussion on you doing that.

So here are the questions. Would a suitability program maybe have helped? Would material accountability have helped? Would maybe having standardized procedures for anyone handling, for example, human pathogens, would that maybe have helped?

And do you, at your entity, have anything in place like that? Because really what I'm trying to highlight is that we don't-- I don't think that I, Christine, when I was a graduate student, saw myself as a target, possibly ever, to anybody wanting to take anything from us. That was a reality that, to me, was non-existent. Why would they want to come in my lab and take anything? We're just down here doing our own thing.

I don't work with Ebola or anything like that. But were those things that we needed to be thinking about? And are those things that all of our entities need to start thinking about? Because if we're going to say that biosafety and biosecurity work together and that we have to look at safety and security mitigation, ensuring that we have security also ensures our safety, not just the safety of the folks that are sitting in our lab, but the things that they possibly could bring home and what that would affect.

Somebody already made the comment, there has to be some way to build a culture where security and safety at that entity is supported by leadership. And making sure everybody understands that at all levels that is important. I have another comment that says I believe suitability should be an ongoing consideration, including interviews with former coworkers, observations of behavior outside of the work environment, and comments about other communities or individuals, like social media. These factors are essential for strengthening trust in individuals with access to sensitive information, BT agents and resources, lifestyle and behaviors and beliefs accumulate and have an impact on biosecurity.

And I agree with that. But again, I also agree that, as we are sitting at our entities, how do we modulate that so it serves our purpose, so it serves the hazards that are in our space, so, again, we don't swing the pendulum so far that actually ends up creating more of a problem, in creating more of a risk, because you're not really addressing the things that are important and are in tune to what you need?

Because that's true. Somebody says, it's a huge cost barrier. If you don't have BSAT, for example, you don't have a regulatory requirement to do suitability. And it is a huge cost barrier. But think about, again, to your entity. Do you need to have a really robust suitability program, or are there things that can be implemented, for example, that are not going to be so cost prohibitive, but could help with the establishment of some sort of suitability and reliability program?

So as you're thinking through those things, how do those, looking at these case studies and looking at loss of accountability and perhaps not knowing what had happened in the lives of these folks, is that something that's going to be important for you as an entity?

Somebody said, see something, say something. And it's true. Another comment on privacy issues can make suitability programs a little tricky. And then another common is the problem here is that if we don't have a regulation that requires, you can't justify the need for it. So it's learning how to package that discussion to show how much is necessary. And I agree, absolutely.

It might not be a regulatory requirement, but as you're doing your risk assessment, if you're able to point out, from that hazard perspective, what the probability of it occurring and what the consequence of it would be to your entity, maybe that's how you can couch that's important in your case.

A couple more came in. In addition to biosecurity agents of intent, it also applies to prevent theft or loss of intellectual property. And I would have to thank you because that kind of goes in what we're going to talk about next, which is another case study.

So here's another important point to why biosecurity is important. And I don't usually like to call out names, and people do that, because I don't like folks feeling like. But thank you. So in 2017, Merck's computers were infected with a virus that caused disruption of their sales, manufacturing, and research and development. They, along with many other companies, actually were impacted by this virus and have made comments that data they'll never be able to recover was lost with that attack.

So, again, bringing this now to information security. In 2021, there was an attack to the University of Oxford division of biology research. Hackers gained access to their systems, their BAS system for the laboratory equipment. And they disabled pressure alarms, messed with a bunch of the pumps of machines that are being used to purify proteins to prepare samples for coronavirus research.

So it's harmful intent here that applies to, essentially, information, data that is also important for your entity and then how important that is. But I wanted to bring this in because a lot of times when we see those, somebody talking about Merck having downloaded a software that impacted them and impacted companies at 65 other countries, we think about those things as being completely outside of our control.

When the truth is, it's not. There's information security that needs to be in place. And how good are we about following cyber security policies? It's, again, back to what we do in the lab on our own little world. How does that impact your cybersecurity and your informational security? How does that maybe help open the door for loss or theft of intellectual property?

If you're keeping data in your computer and you're also clicking on links that you end up being a victim of phishing or something like that, what does that mean? So do you believe how you use your work computer can contribute to the things that happen here? And the truth is, yes. Because somebody already said this on the chat, there should be a standard, for example, where people download things from that goes into their computers that maybe not have a proper validation and it has opened a door for a malware or virus to go in that would affect intellectual property and your data, the integrity of your data.

So then we talk about the other side of the spectrum here. Somebody made a comment, closed computer systems, or high containment labs with closed computer systems, meaning it never sees-- we call them nippers-- a network, an open network. But the truth is, most computers do need access to a network.

So again, a risk assessment needs to be done. And a risk mitigation strategy needs to be put in place for your cybersecurity policies.

What does cybersecurity protect? If you stop and think for a minute, do you often think about cybersecurity as part of a biosecurity system and part of a biorisk management program? And what does cybersecurity protect?

We can start by saying it definitely protects intellectual property, especially because today, most of our data is kept in computers. It can protect PHI, trade secrets, facility information. What is an example of facility information that can be absolutely used through cybersecurity for a really bad purpose? Let's suppose you have animals in your facility and somebody gains access. Because a lot of our facilities today have systems that control the humidity and the temperature in these rooms for these animals, for example.

How do you ensure that they are protected, that you're not losing those lives that are being dedicated to us understanding a part of science better? Everybody use electronic laboratory notebooks. So do you know your cybersecurity policies? Do you often think about them, again, as being part of your biosecurity and of your biorisk management program?

And I'm going to ask somebody to give me a heads up on how much time we have left, because I don't know for the whole time that we have together I've been talking.

Aufra Araujo: Hi, Cris. About 5 to 8 minutes.

Christine Lawson: OK, all right. So I'm going to have to wrap up. Somebody said, not just the agency, but IT department that backs up that data. Yes. Do they need to be brought in when you're doing a risk assessment? Are we, when we're doing risk assessment, bringing the folks that need to be at the table to do that risk assessment appropriately? Because your IT department knows how they back up that data, that's true, and how that data is protected.

So again, that goes back to doing risk assessment and involving everybody who actually has knowledge at the table so you can do that risk assessment together and develop a mitigation strategy that works and that is part of what's important to your organization.

I've only a little bit of time left, so I'm just going to close out with a couple of thoughts. One is this idea of redefining biosecurity. What I'm hoping is that conversation that we've had today is that I've convinced you that biosecurity is an important part of biorisk management. I'm sure a lot of you already felt that way, but I think it gets lost a lot, in that we don't think about really what's important about biosecurity and what we do every day. And there are many things that are.

And maybe we redefine biosecurity, because as I started this conversation with you in the beginning, I was telling you that there's a bunch of different definitions. And people often look at those varying definitions and think that biosecurity not necessarily applies to them when it does. And really, what we need is to walk towards redefining biosecurity as more of a holistic concept and we don't get hung up on the little differing definitions.

We define it as applying principles, technologies, and processes that ensure protection and accountability that prevent loss, theft, misuse, diversion, unauthorized access and possession, introduction or release of pathogens-- toxins, or truly any other biological material-- and related information and/or technology. All of those things have to be part of security, all of these principles, applying these principles, technologies, and processes that we ensure that so that we can actually concentrate on building integrated biorisk programs at our entities.

So normally, everybody knows if you ever heard me talk, most people go through closing remarks by talking about what they told you and everything. But I'll let you go back and read through the slides and hopefully you can look at some of the links that I added to the slides, because they are really great resources. So instead of that, I wanted to spend a little bit of time with two tools. And again, if you heard me speak before, you probably are going, oh my God, this woman is going to talk about this again.

But really those are two tools that have helped me a lot when I'm thinking through risk assessment and risk mitigation. And one of them is the Lykke model. The model says that when that strategy equals ends plus ways plus means. So this Art Lykke theory of strategy essentially looks at strategy as a three legged stool, and it tells us if any of these legs is out of balance, then you are assuming greater risk.

Art argues that strategies supported by ends, which are the objectives, by ways which are the concepts for accomplishing those objectives and then by means, which is the resources for supporting those concepts. And the motto essentially has, poses three important questions, which what is to be done? How is it to be done? And what resources are required are needed for you to do it in that manner?

And the idea, again, is if any of these legs of the stool is out of balance, then one accepts a corresponding risk, unless you adjust the legs. That's the idea. So one might add resources or use a different concept or change the objective. You might decide to accept that risk. But essentially, what the strategy Harper is on is that in order for you to have a valid strategy, you must have an appropriate balance of your objectives, your concepts, and your resources. That is really the only way that you're going to have success. And if you don't, then you are at a greater risk.

And ends, ways, and means always kind get confusing, at least in my head. So the trick really here is to focus on the questions. Objectives will always answer the question of what is it that you're trying to achieve? And then concept always explains how the resources will be used. And, of course, resources will always explain what will be used to execute that concept.

I added the link so you can read about the Lykke model. But I like this idea. I really like this idea of the strategy. Think of the strategy as being, is that risk mitigation strategy that you just developed going to stand this test? Do you have the resources, the concepts, the objectives? Are the ends, ways, and means all being addressed so that you're actually going to be able to achieve that?

And then the next one that I want to leave you with is the five traits of a high-reliability organization. This was something that was developed a long time ago, and it really was directed at actually hospitals if I'm not mistaken. But the idea is that there are five traits to high-reliability organizations that need to exist in order for you to be a high-reliability organization.

One is this idea that, as an entity, as an organization, you have to be preoccupied with failure. You think about how things can fail and you encourage personnel to share their concerns. This idea that we have to be reluctant to simplify things, that we actually look for the source of the problem. You do a root-cause analysis and keep asking why. Go look for the root cause of that problem, that we're sensitive to operations. We are aware of how processes and systems affect our entity, and that we're not just making assumptions.

So this takes you back to that ISO thing, that bottom of that pyramid as you're looking up. Your entity, its mission, its vision, how is it operationally working? What is the work that's doing? So you understand that. You understand how those things affect your entity and you don't make assumptions.

This idea that you have to be resilient and prepared to respond to failures because they're going to happen. And now we're constantly looking for new solutions to prevent further failures, which really is a lot about what we were talking about as we were going through these case studies. And the most important thing is that we actually listen to the people that have the knowledge.

Independent of your seniority, we need to listen to the folks that have the most knowledge. And then you're bringing those folks to the table. Again, tying it back to what we've been discussing, it's bringing to the table the folks that actually understand the hazards so when you're doing your risk assessment, you're doing it with the ones that know it best.

And that's all I have for you today. Hopefully I didn't bore you to death. And I'm here for questions, if you have any, if we have time. And I apologize, Aufra, if I went over.

Aufra Araujo: That's perfect. Thank you, Cris, for your excellent and informative presentation. And thanks to the audience for participating in a productive discussion. Now, I would like to invite my colleague, Dr. Mary Casey-Moore, who is a Health Scientist in CDC's Division of Laboratory Systems, to provide a summary of the discussion from today's session. Mary, over to you.

Mary Casey-Moore: Thank you, Aufra. Today's discussion provided valuable insights to biosecurity, showcasing the shared experience and practices of our group. We explored four case studies for which I'll highlight the key points discussed both verbally and in the chat.

In the first case study, we examined the intentional contamination of salad bars with salmonella. During this discussion, we focused on several key points-- what happened? Failure in supervision, accountability, appropriate use of materials, and monitoring of purchases. In regards to what could have been done to prevent it, we talked about inventory inspections, such as looking at logs, a registration process to identify the need to work with certain pathogens, and also training on ethical considerations for laboratory personnel, such as see something, say something.

In regards to what is your entity's stance on this, it was discussed that without BSAT, it's even harder, since there's no suitability or reliability program. However, it was discussed that these aspects are still important in many lab environments. And this is where that risk assessment comes in to help in evaluating the resources available and then prioritizing what aspects need to be and can be implemented.

In the second case study, we examined an incident where the laboratory technician infected co-workers through contaminated muffins and donuts. During this discussion, we addressed what could have helped. We mentioned improved inventory control and tracking of laboratory materials, also regular evaluations and background checks for laboratory personnel.

It was also mentioned that it's difficult to stop every person from stealing from a laboratory. There's always going to be people who are going to try to beat the system, but we can put practices in place to try to prevent or sway people not to do those things. As it was stated in the chat, it's all about making it hard to beat the system, not making it foolproof.

It was also discussed that without regulation, it's hard to justify the need for it. Understandable, but as you're doing the risk assessment, if you can point out the probability and the consequences to your entity, that information may be used as a way to support that justification. In the final case studies, we examined two cybersecurity incidents that highlight the vulnerabilities in laboratory and research environments.

During this discussion, it was addressed that while individual scientists may not control company-wide IT policies, we can contribute to security by following best practices and reporting those suspicious activities. In the end, it all goes back to that risk assessment and developing those mitigation strategies for those specific risks. So overall, today's discussion emphasized the importance of biosecurity in our risk management practices, and we greatly appreciate everyone's active participation in today's session.

Christine, would you like to add any additional details about the discussion points that I may not have covered?

Christine Lawson: No, I don't think so. I think you covered them well. It's really that idea that we all just, together, thinking about risk assessment and how can we address some of the things, and thinking about the importance of biosafety and biosecurity as we're thinking about biorisk management. So thank you. I really appreciate it. And thank you for the opportunity to speak to the group. Again, I hope everybody got a little something out of it.

Aufra Araujo: Thank you both, Christine, for your wonderful presentation, and Mary, for summarizing the discussion. Thank you, the audience, for great participation. I have a few announcements that I'd like to share with you all before we conclude today's session.

First, I'd like to discuss the post-session survey. The QR code on the slide and the link in the chat will take you to the Qualtrics survey. This survey should take no more than two minutes to complete. Please, please, please do complete the survey. Your response will be anonymous, so no unique identifying information will be sought or kept. And the feedback we receive will be summarized in aggregate only.

Your participation is voluntary, but strongly encouraged, so we can continue improving the ECHO Biosafety program and achieve better outcomes with this community of practice. We appreciate your time in completing the survey. If you have any questions about the survey, the ECHO Biosafety sessions, or if you have laboratory biosafety challenge you'd like to present during the ECHO Biosafety session, please reach out to us at dlsbiosafety@cdc.gov.

Next, as part of the Division of Laboratory Systems commitment to biosafety and biosecurity, DLS is offering free access to the International Organization for Standardization, or ISO, 35001:2019 entitled, Biorisk management for laboratories and other related organizations. The offer is currently limited to interested laboratories and organizations within the United States.

The standard was first published in 2019, and it enables an organization to effectively identify, assess, control, and evaluate the laboratory biosafety and biosecurity risks inherent in its activities. It defines a process to identify, assess, control, and monitor the risks associated with hazardous biological materials. It is suggested for the use of laboratories that test, store, transport, work with, or dispose of hazardous biological materials.

Next, DLS requests that institutions wishing to gain access to the standard within the U.S. designate a point of contact to facilitate the process. Your point of contact will initiate the access request and assist in distributing access within your institution. This is how the process works. Your institution selects a POC responsible for biorisk management, such as the laboratory director, the biosafety officer, or another designee.

The POC emails the DLS Biosafety mailbox in the chat. It's dlsbiosafety@cdc.gov. And they request access to the standard, along with your institution's name and physical address. If your institution is approved, DLS will email your POC with further instructions. The POC must then submit the names of individuals within your institution who would like to receive the ISO standard, including their work email address and the individual's role in the organization.

This initiative aims to streamline the process and ensure that DLS has an organized list of individuals interested in receiving the ISO 35001 standard within each organization. DLS recognizes the importance of this standard in enhancing biorisk management in laboratories and encourages your institution to participate. For questions, please contact dlsbiosafety@cdc.gov.

And next, the upcoming virtual meeting is on November 6 and 7 from 11:00 AM to 5:00 PM Eastern time. The agenda will begin with agency updates from CDC, CMS, and FDA. Presentations and discussions will focus on reports from two CLIAC workgroups, the biosafety workgroup and the next generation sequencing workgroup. Discussion topics include cybersecurity, right in line with what was discussed today, cybersecurity requirements in the clinical laboratory, the determination of clinically relevant range of values for proficiency testing samples, and the utilization of remote technology for competency assessments. We look forward to your participation. Visit the CLIAC website to find meeting information and to contribute oral or written public comments to the meeting by October 29.

And finally, we are excited to have our next ECHO Biosafety session on Tuesday, November 19 at 12:00 PM Eastern time. The topic of discussion will be Biorisk Management Performance Evaluation, presented by Dr. Michael Pentella, who is the Director of the State Hygiene Laboratory and Clinical Professor at the University of Iowa.

As a reminder, the transcripts, audio recordings, and presentation slides from previous ECHO biosafety sessions are available on the DLS ECHO Biosafety website. With that, we will adjourn. Thank you for attending today's session. I hope you were intentional about having a safe and fantastic day. And we look forward to seeing you again in November. Bye, everyone.

Christine Lawson: Thank you.

Additional resources and related publications

Print
Content Source:
Division of Laboratory Systems